When working with a Remote Desktop Services farm which has a larger number of collections, you most likely want to provide user access via Remote Desktop Web Access instead of .rdp files or similar ways. RD Web Access has the advantage that it is dynamically created on the base of currently existing RD collections and it only shows those collections a user has access to. Or at least it should.
When logging into the RD Web Access homepage (https://<rdwa-server>/RDWeb), users can see all available RD collections, even those they do not have access to. They are not able to connect to those collections which means that the permissions are basically set correctly, but the number of collections makes the site quite confusing. Also, you might not want every user to know which collections there are (it’s a bit of a security/privacy concern).
Changing group memberships of the users does not change a thing, so do different GPO sets, but you might experience that some Active Directory OUs behave differently (which means if you move a user to those OUs, they only see what they are supposed to see).
Go to one of the RD Web Access servers, make a backup of the file “%windir%\web\rdweb\web.config”, then open it and search for the line
<add name="TraceTSWA" value="0" />.
Set the value to “2” (which means the log level is set to “Warning”). A few lines below, you will find a block containing
<add name=”File Log” which is commented using
<!-- at the start and
--> at the end. Uncomment this section and restart the IIS.
As a result, after testing the login, the log “%windir%\web\rdweb\App_Data\rdweb.log” should be created, containing errors concerning the problem, like this one:
Error starting filtering: Could not initialize context from SID. SID: S-<...>, Error: 0x80070005
This behavior occurs when the RD Web Access servers lack permissions to check which permissions the users have. Though it sounds crazy, to quote the technet: “If the User Assignment Filter fails, the user will see all the Applications (By Design for Windows 2012/2012R2 onwards)”.
Add the Active Directory Computer accounts of the RD Web Access servers to the BuiltIn AD group “Windows Authorization Access Group”, wait a few minutes and reboot them.
This is required because “This issue occurs when a domain is created by using the option Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems. When this option is selected, the built-in Everyone group is not made a member of the “Pre-Windows 2000 Compatible Access” group. This issue also occurs if the membership of the group is later changed to no longer include the Everyone group as part of a domain security hardening procedure.“, (see https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/cannot-view-remoteapp-rd-session-host for details.)
Afterwards, users a restricted to the collections they do have permissions to: